CISA alerts of phishing attack targeting SBA loan relief accounts

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday released an alert about phishing attacks targeting various government organizations to steal logins for the Small Business Administration COVID-19 loan relief accounts.

This campaign was observed at the end of July and targets Federal Civilian Executive Branch and state, local, tribal, and territorial government organizations.

In a newer phishing attack that started in August, security researchers saw the threat actor using convincing tricks to fool potential victims into providing personal and financial information.

The alert from CISA contains indicators of compromise that should help recipients detect the phishing attack and take active measures against it. The malicious email has the subject line “SBA Application – Review and Proceed” and comes from the spoofed email address “disastercustomerservice@sba[.]gov.”

A link in the email body promises to take the recipient to the account sign-in page on the SBA website. Credentials entered on this page end up with the attacker.

Checking the source of the message for the sender address will reveal the real one. Simply comparing it with the legitimate email will show the fraud attempt. Paying attention to the URL in the address bar should also ensure that you do not fall for a trick and are on the genuine page.

CISA recommends organizations include warning banners for messages from an external source. Even if the message bypasses email defenses, users may act with more caution.

Reference:

https://us-cert.cisa.gov/ncas/alerts/aa20-225a